Mini Topics On RSA and Discrete Logarithm Problem 賴奕甫 1 Contents • Mini Topics on RSA Encryption • RSA bit Security • DLP bit Security 2 自我介紹 • 賴奕甫 (男) • 82 (1993) 年生 • 台大數學所碩二 (已通過口試) • 興趣:半夜慢跑, 摺紙 3 Chinese Remainder Theorem 中國南北朝時期（公元5世紀）的數學著作《孫子算經》卷下第二十六題， 叫做「物不知數」問題，原文如下： 有物不知其數，三三數之剩二，五五數之剩三，七七數之剩二。問物幾何？ 푥 = 2 푚표푑 3 푥 = 3 푚표푑 5 푥 = 2 푚표푑 7 4 Chinese Remainder Theorem Chinese Remainder Theorem: For 푥 ∈ ℤ푛∗푚, Given 푛, 푚 with 푔푐푑 푛, 푚 = 1. 휙 푥 = 푥 푚표푑 푛 , 푥 푚표푑 푚 Then the natural homomorphism 휙 ∶ ℤ푛∗푚 → ℤ푛 × ℤ푚 is an isomorphism. <sketch> “Well-defined” “hom” “surjective” 5 RSA Encryption (Notation) • Public Key :(푁 = 푝 ∗ 푞, 푒) ( 푝, 푞: distinct primes, 푔푐푑 푒, 휙 푁 = 1) • Private Key: 푑 (푑푒 = 1 푚표푑 휙 푁 ) (푁, 푒) 푐 Message: 푚 ∈ ℤ푁 Decryption: Encryption: 푑 푒 푐 = 푚 ∈ ℤ푁 푐 = 푚 (푚표푑 푁) 6 Mini Topics on RSA encryption. • The following content is not about the factoring algorithms but about some little topics in usage or on parameter settings in the RSA encryption. 7 RSA • Can 휙(푁) be leaked? • 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 • What if 푒 is chosen too small (푒 = 3)? Can N be a domain parameter? • Can we only choose new 푑 if the old one is exposed • Can 푑 chosen to be small? (for speeding up decryption) • Is the least significant bit encryption of RSA as secure as the whole? 8 Can 휙(푁) be leaked? Solve 푞 by the following steps: • Assume 휙 푁 = 푝 − 1 푞 − 1 is given • Public Key 푁 = 푝푞 • Write 푝 = 푁/푞 • Then 푁 휙 푁 = 푞 − 1 푞 − 1 ⇒ 휙 푁 푞 = 푁 − 푞 푞 − 1 • ⇒? 9 푑 can be chosen to be 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 • Show the correctness: 푑푒 푚 = 푚 푚표푑 푁 푓표푟 푎푛푦 푚 ∈ ℤ푁 <proof>: Consider Chinese remainder theorem, it suffices to proof 푚푑푒 = 푚 푚표푑 푝 푚푑푒 = 푚 푚표푑 푞 <case:푝|푚 or 푞|푚>: HOLDS! <case:푝 ∤ 푚 and 푞 ∤ 푚>: It suffices to show 푚푑푒−1 = 1 푚표푑 푝 10 Show the correctness: 푑푒 푚 = 푚 푚표푑 푁 푓표푟 푎푛푦 푚 ∈ ℤ푁 <proof>(continued) <case:푝 ∤ 푚 and 푞 ∤ 푚>: Since 푙푐푚 푝 − 1, 푞 − 1 | 푑푒 − 1, 푝 − 1 | 푙푐푚 푝 − 1, 푞 − 1 , and 푚푝−1 = 1 푚표푑 푝 (Fermat’s little theorem) 푚푙푐푚 푝−1,푞−1 = 1 푚표푑 푝 , so 푚푑푒−1 = 1 푚표푑 푝 ∎ 11 What if 푒 is chosen too small? -Hastad’s Broadcast Attack • Take 푒 = 3 for example • Assumption: • There are 3 people use RSA encryption with public key 푁1, 푒 , 푁2, 푒 , (푁3, 푒) (relatively prime 푁1, 푁2, 푁3) • They receive a cipher 푐 from the same message 푚 with their own public keys. (푚 < 푁 for all 푖) • Oscar collects 푁, 푒 = 3 , and 푐. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies 푐 = 푐1 푚표푑 푁1 푐 = 푐2 푚표푑 푁2 푐 = 푐3 푚표푑 푁3 12 What if 푒 is chosen too small? -Hastad’s Broadcast Attack • Oscar collects 푁, 푒 = 3 , and 푐. By CRT, ∃! 푐 ∈ ℤ푁1푁2푁3 satisfies 3 푐 = 푐1 = 푚 푚표푑 푁1 3 푐 = 푐2 = 푚 푚표푑 푁2 3 푐 = 푐3 = 푚 푚표푑 푁3 3 • Hence, 푐 = 푚 푚표푑 푁1푁2푁3 3 • Notice that 푚 < 푁1푁2푁3 • ⇒? 13 Example • (See) 14 If 푒 = 3, then half of bits of 푑 are exposed (roughly). Assume primes 푝, 푞 > 5 and 푑 < 휙 푁 . Claim: 푒 = 3 ⇒ 푒푑 = 1 + 2휙 푁 <proof> Write 푒푑 = 1 + 푘휙 푁 = 1 + 푘 푝 − 1 푞 − 1 Known 0 < 푘 ≤ 푒 = 3 Calculate 푝 − 1 푚표푑 3 ∵ 푔푐푑 푝, 3 = 1 and 푔푐푑 푝 − 1,3 = 1 ∴ 푝 − 1 = 1 푚표푑 3 Similarly, 푞 − 1 = 1 푚표푑 3. Hence, 푘 = 2 푚표푑 3, so 푘 = 2 ∎ 15 If 푒 = 3, then half of bits of 푑 are exposed (roughly). 1 1 • Let 푑′ = 1 + 푘푁 = 1 + 2푁 . 푒 푒 • Claim 푑′ − 푑 < 푝 + 푞 <Proof> 1 1 Write 푑′ = 1 + 2푁 = 1 + 2푁 + 휖 for some 휖, 휖 < 0.5 푒 푒 Then 푑′ − 푑 =? 16 If 푒 = 3, then the linear relation of messages can not be known. • Assumption: • Alice uses RSA encryption with her public key 푁, 푒 = 3 • Encrypting 푚1 and 푚2 with a linear relation 푚2 = 푎푚1 + 푏 • Given two ciphertexts 푐1, 푐2 and the coefficients 푎 and 푏 • Oscar calculates 3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏 3 3 푏 푐2 + 2푎 푐1 − 푏 3 3 =? 푚표푑 푁 푎 푐2 − 푎 푐1 + 2푏 17 Example • (See) 18 Can N be a domain parameter? 푁 = 푝푞 Compute 푑푒 = 1 푚표푑 푁 푑1, 푒1 푑3, 푒3 푑2, 푒2 19 Can we only choose new 푑 (and 푒) if the old one is exposed?(With the same 푁) • Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇐”: Obviously, “Factoring 푁”⇒”Obtain 휙(푁)” ⇒”Getcha 푑” • “⇒”: The proof is an algorithm: Main idea: find x, 푥2 = 1 푚표푑 푁 Since 푁 = 푝푞 | 푥 + 1 푥 − 1 , if 푥 ≠ ±1 푚표푑 푁 , then gcd 푥 ± 1, 푁 will factor 푁. Intuition: 푚푑푒−1 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1 푡 푚2 푟 = 1 푚표푑 푁 푖푓 푔푐푑 푚, 푁 = 1 20 Remark: You can further prove that the algorithm Can we only ischoose able to factornew N with푑 probability(and 푒 greater) than ½ for each choice of 푚 if the old one is exposed? (With the same 푁) • Claim: Given 푒. “Knowing 푑 ⇔ Factoring 푁” • “⇒”: Main idea: find x, 푥2 = 1 푚표푑 푁 Write 푘 = 푑푒 − 1 = 2푡푟, where 푟 is odd 1. Choose 푚 ∈ 2, … , 푁 − 1 at random Say 푔푐푑 푁, 푚 = 1 (why) 2. If 푚푟 = 1 푚표푑 푁 then back to 1. ′ 3. Compute 21푟, 22푟, 23푟, … until 2푡 푟 = 1 푚표푑 푁 first occurs. 푡′−1 4. If m2 푟 = ±1 푚표푑 푁 then back to 1. ′ 5. Else factor by 2푡 −1푟 푁 푔푐푑(푚 ± 1, 푁) 21 Can N be a domain parameter? • Given 푒. “Knowing 푑 ⇔ Factoring 푁” • Hence, it’s insecure that a group uses the same composite N with different 푒, 푑 22 Question: Dose the other choice of 푑 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 alter the result? • Given 푒. “Knowing 푑 ⇔ Factoring 푁” • 푑푒 = 1 푚표푑 푁 • 푑푒 = 1 푚표푑 푙푐푚 푝 − 1, 푞 − 1 23 Example • (See) 24 This is a Kitten Licking Its Paw! 25 Can 푑 be chosen to be small ? (for speeding up decryption) • Wiener’s Attack: 1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁. • Goal: 푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1 Find 푘/푑 26 Continued Fraction • 푥 = where 푎0 is an integer and 푎 is non-negative integer for 푖 ≥ 0 is said to be a continued fraction expression of 푥, denoted [푎0; 푎1, 푎2, … ]. • Any rational number can be written as a continued fraction form 44 2 1 1 = 6 + = 6 + = 6 + = [6; 3,2] Ex. 7 1 7 7 3 + 2 2 1 = 6 + = [6; 3,1,1] 1 3 + 1 27 1 + 1 Convergents • You can also use the Euclidean algorithm to compute a continued fraction expression 1234 = 567 ∗ 2 + 100 1234 1 = 2 + 567 = 100 ∗ 5 + 67 1 567 5 + 100 = 67 ∗ 1 + 33 1 1 + 1 67 = 33 ∗ 2 + 1 2 + 33 푡ℎ • Let 푥 = [푎0; 푎1, 푎2, … ], 푦 is said to be the 푖 convergent of 푥 if 푦 = [푎0; 푎1, 푎2, … , 푎 ] 28 Origin : Rational Approximation by Continued Fraction Theorem. Let 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푥 − < . 푑 2푑2 Then 푘/푑 is a convergent in the continued fraction expansion for 푥 29 Origin : Rational Approximation by Continued Fraction 푒 Theorem. Let 푁 푥 be irrational, and let 푘/푑 be a rational number in lowest terms with 푑 > 0. Suppose that 푘 1 푒 푥 − < 2 . 푁 푑 2푑 푒 Then 푘/푑 is a convergent in the continued fraction expansion for 푥 푁 푑푒 = 1 푚표푑 휙 푁 ⇔ 푑푒 − 푘휙 푁 = 1 30 Wiener’s Attack: 1 1 Given 푁, 푒. Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then there is an efficient way of factoring 푁. • Wiener’s Lemma. Given 푁, 푒, where 푁 = 푝푞 and 푑푒 − 푘휙 푁 = 1 1 1 Assume 푞 < 푝 < 2푞 and 푑 < 푁4 3 Then 푒 푘 1 − < . 푁 푑 2푑2 • Corollary. Using the condition above. Then 푘/푑 is a convergent in the continued fraction expansion for 푒 푁 31 <Proof> 푒 푘 1 + 푘휙 푁 − 푁푘 − = Wiener’s Lemma. 푁 푑 푑푁 푁 = 푝푞 3푘 푁 3푘 < < 푑푒 − 푘휙 푁 = 1. 푑푁 푑 푁 푞 < 푝 < 2푞 1 1 1 1 < < 푑 < 푁4 휙 푁 − 푁 = 푝푞 − 푝 − 푞 + 1 − 푝푞 1 3푑2 3 = − 푝 + 푞 − 1 푑푁4 > −3푞 Then, > −3 푁 푒 푘 1 푑휙 푁 ≥ 푑푒 > 푘휙 푁 − < . ⇒ 푑 > 푘 푁 푑 2푑2 32 Example : Wiener’s Attack • (see) 33 Take a look at SP800-56B • (See) 34 Bit Security of RSA Problem Is the least significant bit in the encryption of RSA as secure as the whole? 賴奕甫 RSA Problem •RSA Problem： Given 푁, e and 푐 = 푚푒 푚표푑 푁 , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁 Find (푚 (푚표푑 푁)) 36 A Fact: 퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≥ RSA 푝푟표푏푙푒푚 is known 퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 ≱ RSA 푝푟표푏푙푒푚 or 퐹푎푐푡표푟푖푛푔 푃푟표푏푙푒푚 = RSA 푝푟표푏푙푒푚 is unknown 37 RSA Problem • RSA Problem： Given 푁, e , where 푁 = 푝푞 , 푝, 푞: distinct odd primes 푑푒 = 1 푚표푑 휙 푁 푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function 38 •RSA Problem： 푓 푥 = 푥푒 푚표푑 푁 is a 표푛푒-푤푎푦 function • Even though RSA problem may be hard, that does NOT mean we can know nothing from it.